[packages/bcc.git] / dev86-print-overflow.patch

From: Lubomir Rintel <lkundrak@v3.sk>

There are off-by-one errors when filling the ar headers, the trailing nul
would overflow the target buffer.

diff -urp dev86-0.16.17/ld/mkar.c dev86-0.16.17.fixed/ld/mkar.c
--- dev86-0.16.17/ld/mkar.c	2004-06-20 09:23:27.000000000 +0200
+++ dev86-0.16.17.fixed/ld/mkar.c	2010-03-29 23:34:30.351426404 +0200
@@ -51,12 +51,12 @@ char buf[128];
       memset(&arbuf, ' ', sizeof(arbuf));
       strcpy(buf, ptr); strcat(buf, "/                 ");
       strncpy(arbuf.ar_name, buf, sizeof(arbuf.ar_name));
-      
-      sprintf(arbuf.ar_date, "%-12ld", (long)st.st_mtime);
-      sprintf(arbuf.ar_uid, "%-6d",    (int)(st.st_uid%1000000L));
-      sprintf(arbuf.ar_gid, "%-6d",    (int)(st.st_gid%1000000L));
-      sprintf(arbuf.ar_mode, "%-8lo",  (long)st.st_mode);
-      sprintf(arbuf.ar_size, "%-10ld", (long)st.st_size);
+     
+      snprintf(arbuf.ar_date, 12, "%-12ld", (long)st.st_mtime);
+      snprintf(arbuf.ar_uid, 6, "%-6d", (int)(st.st_uid%1000000L));
+      snprintf(arbuf.ar_gid, 6, "%-6d", (int)(st.st_gid%1000000L));
+      snprintf(arbuf.ar_mode, 8, "%-8lo", (long)st.st_mode);
+      snprintf(arbuf.ar_size, 10, "%-10ld", (long)st.st_size);
       memcpy(arbuf.ar_fmag, ARFMAG, sizeof(arbuf.ar_fmag));
 
       if( fwrite(&arbuf, 1, sizeof(arbuf), fd) != sizeof(arbuf) )
Commit	Line	Data
f24e9fd9 JR	1	From: Lubomir Rintel <lkundrak@v3.sk>
	2
	3	There are off-by-one errors when filling the ar headers, the trailing nul
	4	would overflow the target buffer.
	5
	6	diff -urp dev86-0.16.17/ld/mkar.c dev86-0.16.17.fixed/ld/mkar.c
	7	--- dev86-0.16.17/ld/mkar.c 2004-06-20 09:23:27.000000000 +0200
	8	+++ dev86-0.16.17.fixed/ld/mkar.c 2010-03-29 23:34:30.351426404 +0200
	9	@@ -51,12 +51,12 @@ char buf[128];
	10	memset(&arbuf, ' ', sizeof(arbuf));
	11	strcpy(buf, ptr); strcat(buf, "/ ");
	12	strncpy(arbuf.ar_name, buf, sizeof(arbuf.ar_name));
	13	-
	14	- sprintf(arbuf.ar_date, "%-12ld", (long)st.st_mtime);
	15	- sprintf(arbuf.ar_uid, "%-6d", (int)(st.st_uid%1000000L));
	16	- sprintf(arbuf.ar_gid, "%-6d", (int)(st.st_gid%1000000L));
	17	- sprintf(arbuf.ar_mode, "%-8lo", (long)st.st_mode);
	18	- sprintf(arbuf.ar_size, "%-10ld", (long)st.st_size);
	19	+
	20	+ snprintf(arbuf.ar_date, 12, "%-12ld", (long)st.st_mtime);
	21	+ snprintf(arbuf.ar_uid, 6, "%-6d", (int)(st.st_uid%1000000L));
	22	+ snprintf(arbuf.ar_gid, 6, "%-6d", (int)(st.st_gid%1000000L));
	23	+ snprintf(arbuf.ar_mode, 8, "%-8lo", (long)st.st_mode);
	24	+ snprintf(arbuf.ar_size, 10, "%-10ld", (long)st.st_size);
	25	memcpy(arbuf.ar_fmag, ARFMAG, sizeof(arbuf.ar_fmag));
	26
	27	if( fwrite(&arbuf, 1, sizeof(arbuf), fd) != sizeof(arbuf) )